While a number of intelligence agencies operate in France, large-scale communications interception is carried out primarily by the Directorate General on Exterior Security under the Ministry of Defense, and the metadata collected is shared within the French intelligence network. All of the existing intelligence agencies were created by executive action and are regulated primarily by decrees, executive decisions, circulars, and instructions that are classified.
The interception of communications is governed by the Code of Domestic Security, which recognizes privacy guarantees but also provides for the interception of communications in exceptional circumstances where national security and other safety-related concerns are at issue. The Code provides that the Prime Minister may authorize interception on the proposal of specified ministers. Such authorizations are time limited. The information collected must be destroyed when no longer needed for a recognized purpose. Intelligence agencies may also obtain certain technical information directly from telephone and Internet service providers for the limited purpose of preventing acts of terrorism. Notwithstanding this limited legislative framework, the Directorate General on Exterior Security is reportedly collecting all telephone and electronic communications metadata in France. Oversight of interception surveillance is provided by the National Commission for Security Interceptions, but the Commission’s recommendations do not appear to be binding. Parliamentary requests for classified information are routinely rejected and the French Parliament has no right to hear or question members of the intelligence services.
France has six intelligence agencies. Three fall under the authority of the Ministry of Defense: the Direction générale de la sécurité extérieure (DGSE, Directorate General on Exterior Security), the Direction du renseignement militaire (DRM, Directorate on Military Intelligence), and the Direction de la protection et de la sécurité de la défense (DPSD, Directorate on Defense Protection and Security). Two agencies fall under the authority of the Ministry of Finance: the Cellule de traitement du renseignement et action contre les circuits financiers clandestins (TRACFIN, Service Against the Laundering of Capital and the Financing of Terrorism) and the Direction nationale du renseignement et des enquêtes douanières (DNRED, National Directorate on Customs Intelligence and Investigations). Finally, the Ministry of the Interior has an intelligence service as well, the Direction centrale du renseignement intérieur (DCRI, Central Directorate on Domestic Intelligence).
It appears that large-scale communications interception is mainly done by the DGSE, which has been reported to systematically collect all telephone and electronic communications metadata in France. The DGSE appears to share the collected metadata with the other French intelligence agencies.
II. Legislative Framework
French intelligence agencies operate within an ill-defined legal framework. A 2013 parliamentary report noted that much of France’s intelligence agencies still operate in a very blurry “para-legal” or “extra-legal” environment, despite some recent efforts by the legislative branch to provide a better framework.
The six main intelligence agencies mentioned above were all created by decisions of the executive branch rather than by legislation. The DGSE, DPSD, DRM, DCRI, and TRACFIN were all created by decrees, and the DNRED was created by an arrêté (executive decision). Only in 2011 did the French Parliament provide some legislative basis for the creation of these agencies, by adopting a law stating that “specialized intelligence services . . . are appointed by executive decision [arrêté] of the Prime Minister.” Furthermore, the regulation of French intelligence agencies rests on many decrees, executive decisions, circulars, and instructions that are classified.
The regulations mentioned above (decrees, executive decisions, etc.) do not have the same legal authority as duly enacted legislation. There appear to be serious shortcomings when it comes to such legislation that does exist, however. Until 2011, for example, French intelligence operatives were subject to the relevant provisions of the Criminal Code if they were caught under the cover of a false or borrowed identity. The abovementioned 2011 law, which implicitly acquiesced in the creation of the six French intelligence agencies, was the first law to provide some legal cover for the use of false or borrowed identities by intelligence operatives. Furthermore, while there is some legislation on the interception of communications (see Part III, below), certain aspects of intelligence gathering are not protected by any laws. It appears, for example, that no legislation authorizes intelligence agencies to use certain means such as “bugging” a private location, surreptitiously taking pictures of a person, or tracking the geographic location of a telephone or vehicle. These activities often run against privacy laws, yet are sometimes necessary for national security and/or antiterrorism purposes, forcing intelligence agencies to sometimes operate outside the law. A number of legislators are reportedly working on solving this problem, with plans to introduce legislation that would define more precisely how intelligence agencies may operate.
III. Interception of Communications
The interception of communications is governed by articles L241-1 to L245-3 of the Code de la sécurité intérieure (Code of Domestic Security). This Code states that “the secrecy of correspondence emitted via electronic communications is guaranteed by law,” but also provides that the interception of electronic communications may be authorized under “exceptional” circumstances for the purpose of gathering intelligence regarding national security; the safety of “essential elements of the scientific and economic potential of France”; the prevention of terrorism; the prevention of organized crime; and the prevention of the reorganization of banned groups such as armed militias, terrorist organizations, or hate groups. It appears that the term “electronic communication” includes telephone communications as well as fax and email.
The authorization to intercept electronic communications may only be given by written order of the Prime Minister, or by one of two persons specifically chosen by him, upon the written and reasoned proposal of either the Minister of Defense, Minister of the Interior, Minister in Charge of Customs, or one of two persons specifically chosen by each of them. This authorization is valid for a maximum of four months, but may be renewed by the same procedure under which it was initially granted. Only information relevant to one of the purposes enumerated above may be transcribed from the intercepted communications, and any recording must be destroyed after ten days. Transcriptions must be destroyed as soon as they are no longer needed for the purposes enumerated above. Furthermore, the Prime Minister sets, by decree, the maximum number of communications interceptions that may be simultaneously conducted at any given time. This number was set at 1,840 as of 2009.
For the limited purpose of preventing acts of terrorism, intelligence agencies may also obtain directly from telephone and Internet service providers the type of technical information that may be found on a telecommunications bill: the service subscriber’s identity, the location of the subscriber’s terminal equipment, the calls made and/or received, or the date and duration of these communications.
While the abovementioned legislation provides a legal framework for specific intercepts, the large-scale interception and storage of communications data does not appear to be governed by any legislation. Despite serious uncertainties about whether this practice is legal or not, the DGSE has been reported to systematically collect all telephone and electronic communications metadata in France.
The main body responsible for the oversight of interception surveillance is the Commission nationale pour les interceptions de securité (CNCIS, National Commission for Security Interceptions). When the Prime Minister (or one of his/her delegates) authorizes a communication interception, the CNCIS is to review this authorization. If the CNCIS deems that an authorization was not justified under the law, it sends a recommendation to the Prime Minister calling for the interruption of the interception in question. Such negative recommendations seem to be rare: out of 6,396 interception authorizations granted in 2011, only fifty-five received a negative recommendation by the CNCIS. The CNCIS’s recommendations do not appear to be legally binding.
Parliamentary oversight appears to be weak, as requests for classified documents from parliamentary committees tend to be rejected, and members of the French Parliament have no right to hear or question members of the intelligence services.
Prepared by Nicolas Boring
Foreign Law Specialist
 Jacques Follorou & Franck Johannes, Révélations sur le Big Brother français [Revelations on the French Big Brother], Le Monde (July 4, 2013), http://www.lemonde.fr/societe/article/2013/07/04/revelations-sur-le-big-brother-francais_3441973_3224.html.
 Rapport d’Information, supra note 1, at 13.
 Id. at 15–16.
 Loi n° 2011-267 du 14 mars 2011 d’orientation et de programmation pour la performance de la sécurité intérieure [Law No. 2011-267 of March 14, 2011, of Orientation and Programing for the Performance of Interior Security] art. 27 (Mar. 14, 2011), http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000023707312& categorieLien=id. This provision was incorporated into the French Code de la défense (Defense Code) as article L2371-1, http://www.legifrance.gouv.fr/affichCode.do;jsessionid=6D0EC48E6013B6B33D2E5A
 Rapport d’Information, supra note 1, at 17.
 Loi n° 2011-267 du 14 mars 2011, art. 27; Code de la defense art. L2371-1.
Rapport d’Information, supra note 1, at 31.
 Renseignements: une loi en 2015 [Intelligence: A Law in 2015], Le Figaro (Oct. 2, 2014), http://www.lefigaro. fr/flash-actu/2014/10/02/97001-20141002FILWWW00287-renseignements-une-loi-en-2015.php.
 Code de la sécurité intérieure [Code of Domestic Security] arts. L241-1 to L245-3, http://www.legifrance. gouv.fr/affichCode.do?cidTexte=LEGITEXT000025503132&dateTexte=20141204.
 Id. art. L241-1.
 Id. art. L241-2.
 Rapport d’Information, supra note 1, at 18–22.
 Code de la sécurité intérieure art. L242-1.
 Id. art. L242-2.
 Id. arts. L242-5 & L242-6.
 Id. art. L242-7.
 Id. art. L242-2.
 Rapport d’Information, supra note 1, at 21.
 Code des postes et des communications electroniques [Code of Postal Services and Electronic Communications] art. L34-1-1, http://www.legifrance.gouv.fr/affichCode.do;jsessionid=47C556F895D42 9A18C4DDAFD5997AA7D.tpdjo10v_3?cidTexte=LEGITEXT000006070987&dateTexte
 Directorate-General for Internal Policies, European Parliament, National Programmes for Mass Surveillance of Personal Data in EU Member States and their Compatibility with EU Law 66 (Oct. 2013), http://www.europarl.europa.eu/RegData/etudes/etudes/join/2013/493032/IPOL-LIBE_ET(2013) 493032_EN.pdf.
 Id.; Follorou & Johannes, supra note 2.
 Code de la sécurité intérieure art. L243-1.
 Id. art. L243-8.
 Rapport d’Information, supra note 1, at 21.
 National Programmes for Mass Surveillance, supra note 24, at 66.
Last Updated: 06/09/2015